Description
Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
Published: 2026-06-17
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated PHP Object Injection flaw exists in the Moderno WordPress theme for versions lower than 1.43. The vulnerability allows an attacker to supply malicious serialized objects, which the theme deserializes without proper validation. This flaw is a CWE-502 type weakness and can enable execution of arbitrary PHP code, compromising the confidentiality, integrity, and availability of the affected web site.

Affected Systems

The vulnerability affects the WordPress Moderno Theme, developed by park_of_ideas, specifically any release earlier than version 1.43.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity. Although the EPSS score is not available, the lack of a KEV listing does not diminish the risk; an attacker who can send crafted requests to the theme can exploit the flaw with no authentication. The vulnerable code path is likely reachable via any publicly accessible page that loads the theme, making the attack vector remote and unrestricted.

Generated by OpenCVE AI on June 18, 2026 at 11:44 UTC.

Remediation

Vendor Solution

Update the WordPress Moderno Theme to the latest available version (at least 1.43).


OpenCVE Recommended Actions

  • Update the Moderno Theme to version 1.43 or later as soon as possible.
  • If an upgrade cannot be performed immediately, disable the Moderno theme or remove it from active use until the patch is applied.
  • After applying the patch, verify that the theme is no longer loading any of the old vulnerable files and perform a security scan to ensure no malicious objects remain present.

Generated by OpenCVE AI on June 18, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Park Of Ideas
Park Of Ideas moderno
Wordpress
Wordpress wordpress
Vendors & Products Park Of Ideas
Park Of Ideas moderno
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated PHP Object Injection in Moderno < 1.43 versions.
Title WordPress Moderno theme < 1.43 - PHP Object Injection vulnerability
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Park Of Ideas Moderno
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:02:00.304Z

Reserved: 2026-05-27T15:12:19.105Z

Link: CVE-2026-49108

cve-icon Vulnrichment

Updated: 2026-06-17T14:01:53.945Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:42Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data